Linux: File Permission System
This page is a tutorial on file permission system on unix/linux.
Here's example of unix file perm.
For example, let's look at this line
drwxr-xr-x@ 10 root wheel 340 Nov 28 2017 usr
- The
usr
is the file name - The
root
is the name of the file's Owner - The
wheel
is the name of the file's Group - The
drwxr-xr-x@
is the file's perm. - The
d
means thisusr
file is a dir. - The first perm set
rwx
means it can be {read, write, execute} by its owner - The second perm set
r-x
means it can be {read, not write, execute} by anyone who is in the group - The third perm set
r-x
means anyone else can {read, not write, execute} it.
The “at sign” @
is MacOS only. It means the file has extended attribute.
〔see MacOS Extended Attribute, At sign @ in ls〕
Unix File Permission System
Each File has One Owner
Here's a example of a file's permission when you do ls -al
.
drwxr-xr-x 40 root wheel 1360 May 13 08:50 bin ↑ ↑ ↑ ↑ perm owner group file name
On unix, a file has a “owner” attribute. Owner is a login account name. Each file has one owner. (directory is also considered a file in unix) In the above example, the owner of the file “bin” is a login name named “root”.
Each File has One Group
A file also has a “group” attribute.
A group is a set of login names, and can be setup by sys admins.
For example, if the machine has logins of {jone, mary, david, joe}, a sys admin can create a group named “engineers”, and the group member can be {joe, david}, and there can be another group named “sales”, with membership of {jone, david, mary}. There can be any number of groups. Each login name can be in multiple groups. “owner” name and “group” name can be the same, but there is no special connecton.
By default, unix creates several groups. A common one is “wheel”, which is meant as a group name for “root”. (typicall, this group is for sys admins.)
Summary:
- A unix machine has one or more “user”.
- A unix machine has one or more “group”.
- A “group” is a set of users.
- A “user” has a id, called “uid”.
- A “group” has a id, called “gid”.
- Each user is associated with at least one group, called the user's “primary group”.
- Each file is associated with one user, called its “owner”.
- Each file is associated with one group.
For creating new {user, group}, listing {user, group}, or find out their id , see: Linux: Users and Groups
File Attributes: {read, write, execute} for {owner, group, other}
Every file has permission attributes. The 3 most important permissions are:
- Read perm. Indicated as
r
- Write perm. Indicated as
w
- Execute perm. Indicated as
x
Together, these make a permission set, shown as rwx
when they are all on.
For each file, there are 3 sets of rwx permission. One is associated with the file's “owner”, one is associated with the file's “group”, and another is associated with special name called “other”, which means all those who are not owner or in the group).
So, typically, when you do ls -l
in unix, you will see a lines like:
drwxr-xr-x 40 root wheel 1360 May 13 08:50 bin ↑ ↑ ↑ ↑ perm owner group file name
The “d” means it's a directory. You'll see 3 sets of “rwx” after it.
r
- Read perm bit is on.
w
- Write perm bit is on.
x
- Execute perm bit is on.
-
- Bit is off.
- The first set of “rwx” is associated with the file's owner.
- The second set of “rwx” is associated with the file's “group”.
- The third set of “rwx” is associated with the file's “other”, which is applied to all users who are not owner and not in the group.
Notice in the above example, the directory “bin” also have the execute bits on (the “x”) for all {owner, group, other}. That is because, in order to list directory content, the directory not only needs the read permission on, but due to unix idiosyncrasy, it must also have the execute bit on. (unix perm system is badly designed.)
Changing File's Owner/Group
chown userName fileName
- Change owner of a file. 〔see Users and Groups〕
chgrp groupName fileName
- Change the group owner of a file. 〔see Users and Groups〕
Changing File's Permissions
chmod octal_number fileName
-
Change the permission bits of a file.
Often, you want to dochmod 664 fileName
. (664 =rw-rw-r--
; typical text file perm bits) umask octal_number
- Set a default permission bits for newly created files.
These commands use 3 octal digits to specify the 3 sets of perm bits. See man chown
, man chgrp
.
# set xx.jpg file's perm to 644, which is rw-r--r-- chmod 644 xx.jpg
Memorize Perm Bits Octal Conversion
Here's how to memorize the perm in octal:
- “r” is 4
- “w” is 2
- “x” is 1
- “-” is 0
So, add them together. For example, if you want “r--”, then that's 4. if you want “r-x”, then that's 5. Do this for each of the {owner, group, other} perm set, then you get 3 digts. For example, “rw-r--r--” is 644.
644 is the most common for files. 755 is the most common for dirs.
Change Multiple Files Perm in Batch
To change multiple files in batch, you can use the command find
to traverse a dir. Example:
# set all dirs under current dir to 755, which is rwxr-xr-x find . -type d -print0 | xargs -0 -l -i chmod 755 '{}'
# set all files under current dir to 644, which is rw-r--r-- find . -type f -print0 | xargs -0 -l -i chmod 644 '{}'
# set all file owner in current dir to xah find . -type f -exec chown xah {} ';'